Any user to change the contract's owner at will
Summary
The changeOwner function in the MysteryBox contract lacks proper access control, allowing any user to change the contract's owner at will.
Vulnerability Details
The changeOwner function is designed to update the owner state variable to a new address. However, it does not include any checks to verify that the caller is the current owner. Here is the vulnerable code:
Without a require statement to restrict access, any user can call this function and set themselves or another address as the owner of the contract.
Impact
This vulnerability has severe implications:
Unauthorized Access: Malicious actors can take over the contract by setting themselves as the owner.
Financial Loss: The new unauthorized owner can withdraw all funds from the contract using the
withdrawFundsfunction.Manipulation of Contract State: They can change the
boxPriceviasetBoxPrice, affecting the game's economy.Trust Erosion: Users may lose trust in the platform if they suffer losses due to unauthorized changes.
Tools Used
Manual Code Review: Carefully examining the Solidity code to identify missing access controls.
Recommendations
Implement an access control check to ensure that only the current owner can execute the changeOwner function. Here is the corrected code:
Additionally, consider the following:
-
Use OpenZeppelin's Ownable Contract: Incorporate standardized ownership management by inheriting from OpenZeppelin's
Ownablecontract, which includes secure ownership transfer mechanisms.import "@openzeppelin/contracts/access/Ownable.sol";contract MysteryBox is Ownable;// here can go the rest of the code
Appeal created
Anyone can change owner
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.